Malicious NPM packages are part of a malware “blitz” that hits repositories


Malicious NPM packages are part of a

Researchers have found 17 other malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers exchange more than 1 million packages with each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used different techniques and amounts of effort to trick developers into downloading malicious products instead of the intended benign ones.

This latest discovery continues a trend first detected a few years ago, in which criminals infiltrate information thieves, keyloggers, or other types of malware in packages available from NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that is a different letter than a legitimate package. Often times, the malicious package includes the same code and functionality as the package being impersonated and adds hidden code that performs additional nefarious actions.

A mature attack vector

“We are witnessing a recent barrage of malicious software hosted and delivered through open source software repositories,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on wednesday. “Public repositories have become a useful tool for the distribution of malware: the repository server is a reliable resource and communication with it does not raise the suspicion of any antivirus or firewall. Additionally, the ease of installation through automation tools, such as the npm client, provides a mature attack vector. “

Most of the packages JFrog flagged stole credentials or other information for Discord’s servers. Discord has become a popular platform for people to communicate via text, voice, and video. Compromised servers can be used as command and control channels for botnets or as a proxy when downloading data from a hacked server. Some packages stole credit card data associated with hacked Discord accounts.

Two packages, discord-lofy and discord-selfbot-v14, come from an author using the name davisousa. They pose as modifications of the popular legitimate discord.js library, which allows interaction with the Discord API. The malware incorporates the original discord.js library as a base and then injects obfuscated malicious code into one of the package files.

The JFrog researchers wrote:

The obfuscated version of the code is huge: over 4,000 lines of unreadable code, containing all possible obfuscation methods: mangled variable names, encrypted strings, code docking, and mirrored function calls:

Through manual scripting and analysis, we were able to de-cloud the package and reveal that its final payload is pretty straightforward – the payload simply iterates over known browsers’ local storage folders (and Discord-specific folders) and then searches for them. of chains. looks like a Discord token by using a regex. Any token found is sent back via HTTP POST to the encrypted server https://aba45cf.glitch.me/polarlindo.

Another package called bug-fix claimed to fix bugs in a discord selfbot. It also contained malicious code that had been obfuscated, but in this case it was much easier for researchers to de-obfuscate it. Investigators soon determined that the hidden code was a stolen version of the Pirate robber, an application that steals credit card information, login credentials, and other private data stored on a Discord client. It works by injecting malicious Javascript code into the Discord client. Then the code “spies” on the user and sends the stolen information to an encrypted address.

A third example is prerequests-xcode, a package that contains the functionality of a remote access Trojan. The researchers wrote:

By inspecting the packet code, we identify that it contains a Node.JS port of
DiscordRAT(originally written in Python) that gives the attacker full control over the victim’s machine. The malware is hidden with the popular online tool. obfuscator.io, but in this case it is enough to inspect the list of available commands to understand the functionality of the RAT (copied verbatim).

The full list of packages is:

Package Version Useful load Infection method
prerequests-xcode 1.0.4 Remote Access Trojan (RAT) Unknown
discord-selfbot-v14 12.0.3 Discord Token Grabber Typosquatting / Trojan (discord.js)
discord 11.5.1 Discord Token Grabber Typosquatting / Trojan (discord.js)
discord system 11.5.1 Discord Token Grabber Typosquatting / Trojan (discord.js)
discord-villa 1.0.0 Discord Token Grabber Typosquatting / Trojan (discord.js)
fix error 1.0.0 Pirate robber (Discord malware) Trojan
wafer binding 1.1.2 Environment variable thief Typosquatting (wafer- *)
wafer autocomplete 1.25.0 Environment variable thief Typosquatting (wafer- *)
wafer beacon 1.3.3 Environment variable thief Typosquatting (wafer- *)
wafer-reeds 1.14.20 Environment variable thief Typosquatting (wafer- *)
toggle wafer 1.15.4 Environment variable thief Typosquatting (wafer- *)
wafer geolocation 1.2.10 Environment variable thief Typosquatting (wafer- *)
wafer image 1.2.2 Environment variable thief Typosquatting (wafer- *)
wafer shape 1.30.1 Environment variable thief Typosquatting (wafer- *)
wafer light box 1.5.4 Environment variable thief Typosquatting (wafer- *)
eighth public 1,836,609 Environment variable thief Typosquatting (octavius)
mrg-message-broker 9998.987.376 Environment variable thief Dependency confusion

As noted above, NPM is not the only open source repository infiltrating malicious packages. The PyPi repository for Python has seen its share of malware-laden packages, as has RubyGems.

People who download open source packages need to take special care to ensure that the item they are downloading is legitimate and not malware disguised as legitimate. Larger organizations that rely heavily on open source software may find it helpful to purchase package management services, which JFrog simply sells.


arstechnica.com

Leave a Reply

Your email address will not be published. Required fields are marked *